Skip to content

Commit

Permalink
docker: switch from musl to glibc, and simplify stuff
Browse files Browse the repository at this point in the history
The Dockerfile now has two stages: build and assembly.
This allows for a full-fledged debian build container,
while still resulting in a super-thin busybox image.

License: MIT
Signed-off-by: Lars Gierth <[email protected]>
  • Loading branch information
Lars Gierth committed Sep 8, 2017
1 parent f55a7a0 commit 944210c
Show file tree
Hide file tree
Showing 4 changed files with 94 additions and 85 deletions.
2 changes: 2 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
Dockerfile
Dockerfile.faster
.git/
!.git/HEAD
!.git/refs/
Expand Down
84 changes: 43 additions & 41 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,46 @@
FROM alpine:edge
FROM golang:1.9-stretch
MAINTAINER Lars Gierth <[email protected]>

# There is a copy of this Dockerfile called Dockerfile.fast,
# which is optimized for build time, instead of image size.
#
# Please keep these two Dockerfiles in sync.

ENV GX_IPFS ""
ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs

COPY . $SRC_DIR

# Build the thing.
RUN cd $SRC_DIR \
# Required for getting the HEAD commit hash via git rev-parse.
&& mkdir .git/objects \
# Allows using a custom (i.e. local) IPFS API endpoint.
&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > /root/.ipfs/api) \
# Build the thing.
&& make build

# Get the TLS CA certificates, they're not provided by busybox.
RUN apt-get install -y ca-certificates

# Now comes the actual target image, which aims to be as small as possible.
FROM busybox:1-glibc
MAINTAINER Lars Gierth <[email protected]>

# Get the ipfs binary, entrypoint script, and TLS CAs from the build container.
ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs
COPY --from=0 $SRC_DIR/cmd/ipfs/ipfs /usr/local/bin/ipfs
COPY --from=0 $SRC_DIR/bin/container_daemon /usr/local/bin/start_ipfs
COPY --from=0 /etc/ssl/certs /etc/ssl/certs

# This shared lib (part of glibc) doesn't seem to be included with busybox.
COPY --from=0 /lib/x86_64-linux-gnu/libdl-2.24.so /lib/libdl.so.2

# This installs a very simple program acting as the init process.
# Makes sure signals are properly passed to the ipfs daemon process.
ENV TINI_VERSION v0.16.1
ADD https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini /sbin/tini
RUN chmod +x /sbin/tini

# Ports for Swarm TCP, Swarm uTP, API, Gateway, Swarm Websockets
EXPOSE 4001
Expand All @@ -14,51 +49,18 @@ EXPOSE 5001
EXPOSE 8080
EXPOSE 8081

# IPFS API to use for fetching gx packages.
# This can be a gateway too, since its read-only API provides all gx needs.
# - e.g. /ip4/172.17.0.1/tcp/8080 if the Docker host
# has the IPFS gateway listening on the bridge interface
# provided by Docker's default networking.
# - if empty, the public gateway at ipfs.io is used.
ENV GX_IPFS ""
# The IPFS fs-repo within the container
# Create the fs-repo directory and switch to a non-privileged user.
ENV IPFS_PATH /data/ipfs
# The default logging level
ENV IPFS_LOGGING ""
# Golang stuff
ENV GOPATH /go
ENV PATH /go/bin:$PATH
ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs
RUN mkdir -p $IPFS_PATH && adduser -D -h $IPFS_PATH -u 1000 -g 100 ipfs
USER ipfs

# Expose the fs-repo as a volume.
# start_ipfs initializes an fs-repo if none is mounted
# start_ipfs initializes an fs-repo if none is mounted.
# Important this happens after the USER directive so permission are correct.
VOLUME $IPFS_PATH

# Get the go-ipfs sourcecode
COPY . $SRC_PATH

RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
&& apk add --no-cache tini su-exec bash wget ca-certificates \
# Setup user
&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
# Install gx
&& go get -u github.com/whyrusleeping/gx \
&& go get -u github.com/whyrusleeping/gx-go \
# Point gx to a specific IPFS API
&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \
# Invoke gx
&& cd $SRC_PATH \
&& gx --verbose install --global \
&& mkdir .git/objects && commit=$(git rev-parse --short HEAD) \
&& echo "ldflags=-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
# Build and install IPFS and entrypoint script
&& cd $SRC_PATH/cmd/ipfs \
&& go build -ldflags "-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
&& cp ipfs /usr/local/bin/ipfs \
&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
&& chmod 755 /usr/local/bin/start_ipfs \
# Remove all build-time dependencies
&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
# The default logging level
ENV IPFS_LOGGING ""

# This just makes sure that:
# 1. There's an fs-repo, and initializes one if there isn't.
Expand Down
84 changes: 49 additions & 35 deletions Dockerfile.fast
Original file line number Diff line number Diff line change
@@ -1,55 +1,69 @@
FROM alpine:edge
FROM golang:1.9-stretch
MAINTAINER Lars Gierth <[email protected]>

# This is a copy of /Dockerfile,
# except that we optimize for build time, instead of image size.
#
# Please keep these two Dockerfiles in sync.

ENV GX_IPFS ""
ENV SRC_DIR /go/src/github.com/ipfs/go-ipfs

COPY ./package.json $SRC_DIR/package.json

RUN set -x \
&& go get github.com/whyrusleeping/gx \
&& go get github.com/whyrusleeping/gx-go \
# Allows using a custom (i.e. local) IPFS API endpoint.
&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > /root/.ipfs/api) \
# Fetch the dependencies so we don't have to do it everytime.
&& cd $SRC_DIR \
&& gx install

COPY . $SRC_DIR

# Build the thing.
RUN set -x \
&& cd $SRC_DIR \
# Required for getting the HEAD commit hash via git rev-parse.
&& mkdir .git/objects \
# Build the thing.
&& make build \
&& mv cmd/ipfs/ipfs /usr/local/bin/ipfs \
&& mv bin/container_daemon /usr/local/bin/start_ipfs

# This installs a very simple program acting as the init process.
# Makes sure signals are properly passed to the ipfs daemon process.
ENV TINI_VERSION v0.16.1
ADD https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini /sbin/tini
RUN chmod +x /sbin/tini

# Ports for Swarm TCP, Swarm uTP, API, Gateway, Swarm Websockets
EXPOSE 4001
EXPOSE 4002/udp
EXPOSE 5001
EXPOSE 8080
EXPOSE 8081

ENV GX_IPFS ""
# Create the fs-repo directory and switch to a non-privileged user.
ENV IPFS_PATH /data/ipfs
ENV IPFS_LOGGING ""
ENV GOPATH /go
ENV PATH /go/bin:$PATH
ENV SRC_PATH /go/src/github.com/ipfs/go-ipfs
RUN mkdir -p $IPFS_PATH \
&& useradd -s /usr/sbin/nologin -d $IPFS_PATH -u 1000 -g 100 ipfs \
&& chown 1000:100 $IPFS_PATH
USER ipfs

# Expose the fs-repo as a volume.
# start_ipfs initializes an fs-repo if none is mounted.
# Important this happens after the USER directive so permission are correct.
VOLUME $IPFS_PATH

# This is an optimization which avoids rebuilding
# of the gx dependencies every time anything changes.
# gx will only be invoked if the dependencies have changed.
#
# Put differently: if package.json has changed,
# the image-id after this COPY command will change,
# and trigger a re-run of all following commands.
COPY ./package.json $SRC_PATH/package.json

RUN apk add --no-cache --virtual .build-deps-ipfs musl-dev gcc go git \
&& apk add --no-cache tini su-exec bash wget ca-certificates \
&& adduser -D -h $IPFS_PATH -u 1000 ipfs \
&& go get -u github.com/whyrusleeping/gx \
&& go get -u github.com/whyrusleeping/gx-go \
&& ([ -z "$GX_IPFS" ] || echo $GX_IPFS > $IPFS_PATH/api) \
&& cd $SRC_PATH \
&& gx --verbose install --global

COPY . $SRC_PATH

RUN cd $SRC_PATH \
&& mkdir .git/objects && commit=$(git rev-parse --short HEAD) \
&& echo "ldflags=-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
&& cd $SRC_PATH/cmd/ipfs \
&& go build -ldflags "-X github.com/ipfs/go-ipfs/repo/config.CurrentCommit=$commit" \
&& cp ipfs /usr/local/bin/ipfs \
&& cp $SRC_PATH/bin/container_daemon /usr/local/bin/start_ipfs \
&& chmod 755 /usr/local/bin/start_ipfs \
&& apk del --purge .build-deps-ipfs && rm -rf $GOPATH && rm -vf $IPFS_PATH/api
# The default logging level
ENV IPFS_LOGGING ""

# This just makes sure that:
# 1. There's an fs-repo, and initializes one if there isn't.
# 2. The API and Gateway are accessible from outside the container.
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]

# Execute the daemon subcommand by default
CMD ["daemon", "--migrate=true"]
9 changes: 0 additions & 9 deletions bin/container_daemon
100644 → 100755
Original file line number Diff line number Diff line change
@@ -1,16 +1,7 @@
#!/bin/sh
set -e
user=ipfs
repo="$IPFS_PATH"

if [ `id -u` -eq 0 ]; then
# ensure folder is writable
su-exec "$user" test -w "$repo" || chown -R -- "$user" "$repo"
# restart script with new privileges
exec su-exec "$user" "$0" "$@"
fi

# 2nd invocation with regular user
ipfs version

if [ -e "$repo/config" ]; then
Expand Down

0 comments on commit 944210c

Please sign in to comment.